Computer Infected with Malware/Virus/Trojan?

[Briansan]

Hi,
I think my computer is infected with something. One online scanner (I now can not remember which one) said I had a 'bifrost' virus, but I could not find a way to remove it.

I fisrt noticed something wrong when checking the html of websites I have uploaded. Extra code was being added just after the body tag pointing to other sites. I would re-upload the sites and they would stay clean for a day and then the extra code would reappear again. One example is the following site  www.gaptourism.com

I tried to run Malwarebytes Anti Malware but it would shut down after a few seconds. I was using Panda Cloud Anti virus. It said everything was ok but it couldn't find an internet connection. Tried various anti virus sites but many I could not connect to, but I was able to do some online scans on some sites. From another computer I made a CD Boot disk with Panda virus scan from their website. And it found and deleted Rootkit/Booto.C

I have followed all the Malware Removal Steps from your site. I have now installed Microsoft Security Essentials instead of Panda Cloud Anti Virus. Changed from Windows Firewall to Online Armour. I still can not run Malwarebytes so that log is not included below.

Any help or advice you could give would be greatly appreaciated.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/08/2010 at 05:11 PM

Application Version : 4.34.1000

Core Rules Database Version : 4650
Trace Rules Database Version: 2462

Scan type       : Complete Scan
Total Scan Time : 03:12:40

Memory items scanned      : 456
Memory threats detected   : 0
Registry items scanned    : 7196
Registry threats detected : 2
File items scanned        : 318214
File threats detected     : 27

Adware.Tracking Cookie
   C:\Documents and Settings\Brian\Cookies\[email protected][1].txt
   C:\Documents and Settings\Brian\Cookies\brian@atdmt[1].txt
   C:\Documents and Settings\Naomi\Cookies\[email protected][2].txt
   C:\Documents and Settings\Naomi\Cookies\[email protected][1].txt
   C:\Documents and Settings\Naomi\Cookies\[email protected][2].txt
   C:\Documents and Settings\Naomi\Cookies\[email protected][2].txt
   C:\Documents and Settings\Naomi\Cookies\[email protected][1].txt
   C:\Documents and Settings\Naomi\Cookies\[email protected][2].txt
   C:\Documents and Settings\Naomi\Cookies\[email protected][3].txt
   C:\Documents and Settings\Naomi\Cookies\[email protected][1].txt
   C:\Documents and Settings\Naomi\Cookies\naomi@imrworldwide[1].txt
   C:\Documents and Settings\Naomi\Cookies\[email protected][1].txt
   C:\Documents and Settings\Naomi\Cookies\[email protected][1].txt
   C:\Documents and Settings\Naomi\Cookies\naomi@specificclick[1].txt
   C:\Documents and Settings\Naomi\Cookies\naomi@tacoda[2].txt

Rogue.Agent/Gen
   HKLM\SOFTWARE\03608623
   HKLM\SOFTWARE\03608623#FirstRun

Trojan.Agent/Gen-Nullo[QE]
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{E5CA1F79-E9A2-4DA2-9F18-B1599C1193BA}\RP765\A0156398.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{E5CA1F79-E9A2-4DA2-9F18-B1599C1193BA}\RP765\A0156412.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{E5CA1F79-E9A2-4DA2-9F18-B1599C1193BA}\RP767\A0156563.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{E5CA1F79-E9A2-4DA2-9F18-B1599C1193BA}\RP771\A0157728.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{E5CA1F79-E9A2-4DA2-9F18-B1599C1193BA}\RP772\A0157734.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{E5CA1F79-E9A2-4DA2-9F18-B1599C1193BA}\RP772\A0157974.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{E5CA1F79-E9A2-4DA2-9F18-B1599C1193BA}\RP772\A0158301.EXE

Trojan.Agent/Gen-Nullo[Short]
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{E5CA1F79-E9A2-4DA2-9F18-B1599C1193BA}\RP771\A0156729.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{E5CA1F79-E9A2-4DA2-9F18-B1599C1193BA}\RP771\A0156733.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{E5CA1F79-E9A2-4DA2-9F18-B1599C1193BA}\RP772\A0157771.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{E5CA1F79-E9A2-4DA2-9F18-B1599C1193BA}\RP772\A0157773.EXE

Adware.CouponBar
   C:\WINDOWS\SYSTEM32\CPNPRT2.CID


===============================================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:02, on 08/03/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\FuzLez\WheelsOfVolume\WheelsOfVolume.exe
C:\Program Files\GIZMO2\GIZMO.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Brian\My Documents\Downloads\taskbar_shuffle_2.2\taskbarshuffle.exe
C:\Program Files\VisualTaskTips\VisualTaskTips.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Common Files\Chameleon Manager\monitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: PicLens plug-in for Internet Explorer - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Program Files\PicLensIE\PicLens.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - C:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [FuzLez WheelsOfVolume] "C:\Program Files\FuzLez\WheelsOfVolume\WheelsOfVolume.exe"
O4 - HKLM\..\Run: [GIZMO2] C:\Program Files\GIZMO2\GIZMO.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Documents and Settings\Brian\My Documents\Downloads\taskbar_shuffle_2.2\taskbarshuffle.exe
O4 - HKCU\..\Run: [VisualTaskTips] C:\Program Files\VisualTaskTips\VisualTaskTips.exe
O4 - HKCU\..\Run: [Chameleon System Monitor] C:\Program Files\Common Files\Chameleon Manager\monitor.exe /startup
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Brian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to  Evernote - res://C:\Program Files\Evernote\Evernote3\enbar.dll/2000
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp07.photoprintit.de/microsite/12855//defaults/activex/IPSUploader.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.domore.ie/member/upload/ImageUploader4.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Update Service (gupdate1c9296e95d8854a) (gupdate1c9296e95d8854a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 10982 bytes

[evilfantasy]

Welcome to CH.


If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[Briansan]

Thank you for your response.

I have run Combofix and attached the log report below.

====================================================


ComboFix 10-03-09.04 - Brian 09/03/2010  20:53:32.1.4 - x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.3326.2756 [GMT 0:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Brian\LOCALS~1\temp\hcda.tmp
c:\documents and settings\Brian\Application Data\.#
c:\program files\Antispyware
c:\program files\Antispyware\Antispyware.url
c:\program files\Antispyware\vistaCPtasks.xml
c:\program files\temp
c:\program files\temp\Amazing Windows XP.exe
c:\program files\temp\Holiday Snowflakes.exe
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\recycler\S-1-5-21-7608389861-4229364978-742926350-5186
c:\recycler\S-1-5-21-804958079-876268488-945908249-1003
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\winhelp.ini

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_icf
-------\Legacy_npf
-------\Service_npf


(((((((((((((((((((((((((   Files Created from 2010-02-09 to 2010-03-09  )))))))))))))))))))))))))))))))
.

2010-03-08 17:42 . 2010-03-08 17:42   --------   d-----w-   c:\program files\Trend Micro
2010-03-08 17:29 . 2010-03-08 17:29   --------   d-----w-   c:\program files\Common Files\Java
2010-03-08 13:46 . 2010-03-08 13:46   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-08 13:45 . 2010-03-08 13:45   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-03-08 13:45 . 2010-03-08 13:45   --------   d-----w-   c:\documents and settings\Brian\Application Data\SUPERAntiSpyware.com
2010-03-08 12:11 . 2010-03-08 12:11   --------   d-----w-   c:\program files\CCleaner
2010-03-08 11:02 . 2010-03-08 11:40   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2010-03-08 11:02 . 2010-03-08 11:02   --------   d-----w-   c:\documents and settings\Brian\Application Data\OnlineArmor
2010-03-08 11:01 . 2009-12-05 07:28   24656   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2010-03-08 11:01 . 2009-12-05 07:27   29776   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2010-03-08 11:01 . 2009-12-05 07:27   223312   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2010-03-08 11:01 . 2010-03-08 11:01   --------   d-----w-   c:\program files\Tall Emu
2010-03-08 09:28 . 2010-02-24 09:16   181632   ------w-   c:\windows\system32\MpSigStub.exe
2010-03-06 17:03 . 2010-03-06 17:04   --------   d-----w-   c:\program files\Microsoft Security Essentials
2010-03-06 11:30 . 2010-03-06 11:31   --------   d-----w-   c:\documents and settings\Brian\Application Data\QuickScan
2010-03-06 09:59 . 2010-03-06 09:59   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2010-03-06 09:57 . 2010-03-06 09:57   --------   d-----w-   c:\windows\system32\wbem\Repository
2010-03-06 09:57 . 2010-03-06 09:58   --------   d-----w-   c:\documents and settings\All Users\HF_PCA_1.00.00.0002
2010-03-06 09:57 . 2010-03-06 09:57   --------   d-----w-   c:\program files\TVUPlayer
2010-03-04 18:06 . 2010-03-04 18:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-04 18:06 . 2010-03-04 18:06   --------   d-----w-   c:\program files\Lavasoft
2010-03-02 21:40 . 2010-03-06 09:54   --------   d-----w-   c:\documents and settings\Brian\Local Settings\Application Data\Analog Clock
2010-03-02 08:58 . 2010-03-06 09:54   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware(2)
2010-02-22 08:25 . 2010-03-06 09:55   --------   d-----w-   c:\program files\SimpleTaskTimer
2010-02-19 23:47 . 2010-02-19 23:47   3604480   ----a-w-   c:\windows\system32\GPhotos.scr

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-09 20:45 . 2009-01-30 22:41   --------   d-----w-   c:\documents and settings\Brian\Application Data\HPAppData
2010-03-09 13:02 . 2008-04-16 22:01   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
2010-03-08 17:29 . 2009-10-03 01:12   --------   d-----w-   c:\program files\Java
2010-03-08 13:44 . 2008-03-27 23:14   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-03-08 09:36 . 2008-09-16 20:44   --------   d-----w-   c:\program files\Panda Security
2010-03-06 17:09 . 2007-11-01 11:47   200256   ----a-w-   c:\documents and settings\Brian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-06 11:34 . 2010-03-06 09:54   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-03-06 10:05 . 2007-10-31 01:49   --------   d-----w-   c:\program files\Google
2010-03-06 09:58 . 2010-03-05 10:50   --------   d-----w-   c:\program files\Spyware Doctor
2010-03-06 09:57 . 2010-01-16 22:35   --------   d-----w-   c:\program files\FLV Player
2010-03-06 09:56 . 2010-01-28 15:56   --------   d-----w-   c:\program files\SlickRun
2010-03-06 09:56 . 2010-01-28 15:56   --------   d-----w-   c:\documents and settings\Brian\Application Data\SlickRun
2010-03-06 09:56 . 2009-10-14 15:55   --------   d-----w-   c:\program files\CDBurnerXP
2010-03-06 09:54 . 2009-09-23 22:52   --------   d-----w-   c:\program files\Opera
2010-03-06 09:54 . 2010-03-04 18:06   --------   dc----w-   c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-06 09:54 . 2010-03-05 10:41   --------   d-----w-   c:\program files\Exterminate It!
2010-03-06 09:54 . 2010-03-05 10:50   --------   d-----w-   c:\program files\Common Files\PC Tools
2010-03-06 09:53 . 2010-03-05 11:55   --------   d-----w-   c:\program files\Backdoor Bifrose Removal Tool
2010-03-06 09:52 . 2010-03-05 14:31   --------   d-----w-   c:\program files\Windows Defender
2010-03-06 09:12 . 2008-03-27 23:16   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-03-01 08:52 . 2008-10-01 21:38   --------   d-----w-   c:\documents and settings\Brian\Application Data\vlc
2010-02-02 14:56 . 2007-10-31 02:44   --------   d-----w-   c:\documents and settings\Brian\Application Data\Serif
2010-02-02 14:55 . 2007-10-30 23:45   --------   d-----w-   c:\program files\Serif
2010-02-02 01:29 . 2008-11-24 12:54   --------   d-----w-   c:\documents and settings\Brian\Application Data\Skype
2010-02-01 17:24 . 2008-11-24 12:58   --------   d-----w-   c:\documents and settings\Brian\Application Data\skypePM
2010-01-23 21:15 . 2008-07-21 14:38   --------   d-----w-   c:\program files\Aplus DVD Copy
2010-01-07 16:07 . 2009-10-22 08:26   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-10-22 08:26   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-12-23 17:56 . 2009-12-23 17:56   31728   ----a-w-   c:\windows\dbrmdwb.exe
2009-12-23 17:56 . 2009-12-23 17:56   26   ----a-w-   c:\windows\dbrmdwb.bat
2009-12-23 17:56 . 2009-12-23 17:56   241744   ----a-w-   c:\windows\system32\DNLEng.dll
2009-12-23 17:56 . 2009-12-23 17:56   143360   ----a-w-   c:\windows\picn1120.dll
2009-12-23 17:56 . 2009-12-23 17:56   143360   ----a-w-   c:\windows\picn1020.dll
2009-12-23 17:56 . 2009-12-23 17:56   1025688   ----a-w-   c:\windows\dbplugin.exe
2009-12-23 17:56 . 2009-12-23 17:56   2445312   ----a-w-   c:\windows\npdbplug.dll
2009-12-17 17:14 . 2009-10-03 01:12   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-05-12 23:53 . 2007-11-04 01:33   67688   ----a-w-   c:\program files\mozilla firefox\components\jar50.dll
2009-05-12 23:53 . 2007-11-04 01:33   54368   ----a-w-   c:\program files\mozilla firefox\components\jsd3250.dll
2009-05-12 23:53 . 2007-11-04 01:33   34944   ----a-w-   c:\program files\mozilla firefox\components\myspell.dll
2009-05-12 23:53 . 2007-11-04 01:33   46712   ----a-w-   c:\program files\mozilla firefox\components\spellchk.dll
2009-05-12 23:53 . 2007-11-04 01:33   172136   ----a-w-   c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2004-08-04 . 7399D854596BFEFEED6B60879F28CE07 . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Taskbar Shuffle"="c:\documents and settings\Brian\My Documents\Downloads\taskbar_shuffle_2.2\taskbarshuffle.exe" [2007-11-01 827392]
"VisualTaskTips"="c:\program files\VisualTaskTips\VisualTaskTips.exe" [2007-09-05 36352]
"Chameleon System Monitor"="c:\program files\Common Files\Chameleon Manager\monitor.exe" [2009-10-18 1590784]
"Google Update"="c:\documents and settings\Brian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-10 8429568]
"nwiz"="nwiz.exe" [2007-05-10 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-10 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-17 16855552]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"FuzLez WheelsOfVolume"="c:\program files\FuzLez\WheelsOfVolume\WheelsOfVolume.exe" [2005-11-24 487424]
"GIZMO2"="c:\program files\GIZMO2\GIZMO.exe" [2008-05-21 2217224]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-03 198160]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-12-05 923336]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
 [BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\KeyHoleTV\\KeyHoleTV.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Opera\\opera.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [06/01/2008 11:58 AM 685816]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [08/03/2010 11:01 AM 223312]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [08/03/2010 11:01 AM 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [08/03/2010 11:01 AM 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 10:15 AM 66632]
R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [06/01/2008 11:58 AM 85760]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [08/03/2010 11:01 AM 1282248]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [23/10/2007 10:06 PM 472096]
S1 8d2febeb;8d2febeb;c:\windows\system32\drivers\8d2febeb.sys --> c:\windows\system32\drivers\8d2febeb.sys [?]
S2 gupdate1c9296e95d8854a;Google Update Service (gupdate1c9296e95d8854a);c:\program files\Google\Update\GoogleUpdate.exe [08/10/2008 5:52 PM 133104]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [05/09/2007 4:10 PM 32384]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 10:15 AM 12872]
S3 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [08/03/2010 11:01 AM 3291336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
HPService   REG_MULTI_SZ      HPSLPSVC
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-16 11:35]

2010-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-08 19:41]

2010-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-08 19:41]

2010-03-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2865573587-1871110255-1844121720-1005Core.job
- c:\documents and settings\Brian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 19:41]

2010-03-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2865573587-1871110255-1844121720-1005UA.job
- c:\documents and settings\Brian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 19:41]

2010-03-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 18:02]

2010-03-09 c:\windows\Tasks\User_Feed_Synchronization-{381ECA43-508D-423B-B297-40B884C65A1F}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/calendar/render?pli=1
IE: Add to  Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} - hxxp://asp07.photoprintit.de/microsite/12855//defaults/activex/IPSUploader.cab
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\uczybqw1.default\
FF - prefs.js: browser.startup.homepage - www.onetouchireland.com
FF - component: c:\program files\Evernote\Evernote3\FfTbClipper\components\enbar3.dll
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\Brian\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Lively\nplively.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Opera\program\plugins\npdbplug.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\program files\Picasa2\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-09 21:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


c:\windows\system32\SoftwareDistribution
c:\windows\system32\wuapi.dll.mui 15064 bytes executable
c:\windows\system32\wuauclt.exe.wusetup.179828.bak 111104 bytes executable
c:\windows\system32\wuaucpl.cpl.mui 15072 bytes executable
c:\windows\system32\wups2.dll 44768 bytes executable
c:\windows\system32\wuaucpl.cpl.wusetup.181484.bak 162304 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8ACDC1E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cfc3
\Driver\ACPI -> ACPI.sys @ 0xba67dcb8
\Driver\atapi -> 0x8acdc1e8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3660)
c:\program files\VisualTaskTips\VttHooks.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\corel\Graphics8\programs\CMFFld80.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2010-03-09  21:09:39 - machine was rebooted
ComboFix-quarantined-files.txt  2010-03-09 21:09

Pre-Run: 362,417,909,760 bytes free
Post-Run: 362,379,616,256 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - BFFC6B7287FF6A0C47F39EF9E3DE44FB

[evilfantasy]

Please go to Jotti's  malware scan
(If more than one file  needs scanned they must be done separately and logs posted for each  one)

* Copy the file path in the below Code box:

Code: [Select]

c:\windows\system32\drivers\tcpip.sys* At the upload site, click once  inside the window next to Browse.
* Press  Ctrl+V on the keyboard (both at the same time) to paste the file  path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which  normally takes less than a minute to clear.
* This will  perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the  scanning engines to complete.
* Once the scan is  finished, Copy and then Paste the link in the address bar into your next  reply.

Also scan this file and post the link to the results.

Code: [Select]

c:\windows\system32\dllcache\tcpip.sys

[Briansan]

Here are the two links for the scans

http://virusscan.jotti.org/en-gb/scanresult/ad1f758996ebcc4fad4b68385978dacd7196b30d/70f5948293fdad40527dbb2f0e42bd728ab217b8



http://virusscan.jotti.org/en-gb/scanresult/91f7ff20220d78ceeea44f9f32af44867761e43d/e4a17609999d772f32d037a3018c2e7f8e9b12db